how do you validate server cert & each of the certificate in the chain up to the ROOT in perl - 4 levels deep

Question

how do you validate server cert & each of the certificate in the chain up to the ROOT in perl - 4 levels deep.

I want to be able to check if they are valid & the signing is done right, also want to check if any of them are revoked in perl.

check: server cert-> chain1->chain2->root. I am not sure how to accomplish this step by step & error out accordingly.

Any references to a working example? This is what I have:

my $certclient = IO::Socket::SSL->new(
  PeerHost => "$host:$port",
  SSL_ca_file => Mozilla::CA::SSL_ca_file(),
  SSL_verify_mode => 0,
  SSL_version => 'TLSv1',
  SSL_cipher_list => 'RC4-SHA',
  Proto => 'tcp',
  Timeout => '5',
  ); 
  $certclient->verify_hostname($host, "http");

  my $cn = $certclient->peer_certificate("cn");

  $certclient->verify_hostname($host, "http");

thanks! http://search.cpan.org/~sullr/IO-Socket-SSL-2.003/lib/IO/Socket/SSL.pod

Answer 1

IO::Socket::SSL will do all the verification for you if you don't disable it by setting SSL_verify_mode to 0. It will also check if the certificate is revoked if you provide the necessary CRL (SSL_crl_file) or use OCSP by setting SSL_ocsp_mode and call $ssl->ocsp_resolver->resolve_blocking().

It does not provide an interface to do this steps by hand and neither does the underlying Net::SSLeay module. The OpenSSL functions necessary to do the verification are not exposed to Perl.